Title

The MFD or Network Printer must employ the most current firmware available. (Cat II impact)

Discussion

MFD devices or printers utilizing old firmware can expose the network to known vulnerabilities leading to a denial of service or a compromise of sensitive data. While the MFD must use the most current firmware available, it must not use a “call-home” feature that is not allowed.

Check Content

The reviewer will verify that the MFD or Network Printer are flash upgradeable and are configured to use the most current firmware available. Ensure any “call-home” feature is disabled. If the MFD or Network Printer is not flash upgradeable, this is a finding. If the MFD or Network Printer is not configured with the most current firmware, this is a finding. If the MFD or Network Printer has the “call-home” feature enabled, this is a finding.

Fix Text

If the MFD or printer cannot be upgraded replace it. If the MFD or printer can be upgraded but is not using the latest release of the firmware, upgrade the firmware.

Additional Identifiers

Rule ID: SV-7002r2_rule

Vulnerability ID: V-6780

Group Title: MFD Firmware

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.